China's Cyber Security Law: With more questions than answers, what steps can you take now?

The Cyber Security Law of the People’s Republic of China (网络安全法; the CSL), which came into effect on June 1, 2017, imposes far-reaching restrictions on how computer networks in China are operated. It also sets forth provisions governing data privacy and security that, among other things, require data localization and government-led security reviews and restrict cross-border transfers. The CSL is part of a developing legislative framework for cyber governance in China that seeks to protect China’s cyber sovereignty and preserve its cyber security for national security reasons. However, many of the CSL’s key provisions are broadly drafted and omit critical details, making it difficult for companies to determine whether the provisions apply to them and, if so, how to comply.

The government has published additional regulations to help clarify some aspects of the CSL, but significant work still needs to be done. Addressing the remaining issues will likely take several months while government agencies with responsibility for network security and government agencies with sector-specific responsibilities work together to develop further relevant regulations and standards. As a result, enforcement of some provisions of the CSL may be limited; however, pilot enforcement campaigns in particular industries or in relation to particular network operators are expected.

The following discussion provides an overview of the key elements of the CSL, identifies where ambiguity still remains, and offers suggested steps that companies can take until the various rule-making and standard-setting work currently underway is completed.

To Whom Does the CSL Apply?

The provisions of the CSL apply to the following types of entities:

Network operators;

Operators of “critical information infrastructure” (关键信息基础设施; “CII operators”), a term which as discussed below describes certain major computer networks, a failure of which would have an impact on national security; and

Manufacturers and suppliers of network products and services.

Network operators are defined as parties who own or administer a computer network in China and network services providers (companies providing licensed telecommunications services over the network). Given this broad definition, the CSL’s network operator provisions potentially apply to all companies operating in China that use the Internet or other networks to carry out their businesses.

In contrast, CII operators are more narrowly defined and appear to be limited to network operators in important industries, such as public communications and information services, energy, transportation, water resources, finance, public utilities, and e-government affairs, where any damage, loss of function or data breach of the network might seriously endanger national security, national welfare and people’s livelihood, or the public interest. Questions still remain though about what infrastructure constitutes CII. The State Council, which is responsible for issuing regulations that will specify the scope of CII in greater detail, has not yet issued its regulations. However, the Cyberspace Administration of China (国家互联网信息办公室; CAC) issued draft regulations for public comment in June 2017 that provide additional but insufficient guidance on this question.

Draft CII Regulations

The CAC’s draft Regulations for Security Protection of Critical Information Infrastructure (关键信息基础设施安全保护条例(征求意见稿); the “DraftCII Regulations”) state that a network or information system operated or managed by one of the following entities will be regarded as CII if damage, a loss of function or data breach involving the network or system might seriously endanger national security, national welfare and people’s livelihood, or the public interest:

Government authorities;

Entities in sectors such as energy, finance, transportation, water resources, hygiene and healthcare, education, social insurance, environmental protection and public utilities;

Operators of information networks such as telecommunications networks, broadcast networks and the Internet;

R&D and manufacturing entities in sectors such as science and technology for the national defense industry, large equipment, chemicals, and food and drugs;

News organizations such as radio stations, television stations and news agencies; and

Other key entities (重点单位).

However, the Draft CII Regulations note that the specific scope of CII will be determined on a sector-by-sector basis. In particular, the CAC, the Ministry of Industry and Information Technology and the Ministry of Public Security will promulgate guidelines for the recognition of CII and government authorities responsible for specific sectors will follow these guidelines in their specification of CII in their respective sectors.

There is no specified timeframe for completion of this additional work but, according to a media interview with a senior CAC official the definition of the scope of CII and the protective measures to be adopted by CII would be completed no later than May 31, 2018.

Key Provisions of the CSL

The CSL imposes a number of general network security and data privacy and security obligations on network operators and manufacturers. As described below, these provisions build on and consolidate provisions found in existing laws. In addition, the CSL imposes new and controversial obligations and restrictions on CII operators with respect to network security, data localization, and cross-border transfers. The law also provides for enhanced regulatory oversight of all network operators.

1. General Data Privacy Requirements

The CSL sets forth the following general data privacy requirements:

Collection and use of personal information are subject to principles of legality, legitimacy and necessity;

The purpose, method and scope of collection and use must be expressly disclosed;

Consent is required to collect and use personal information;

Personal information may only be collected and used in connection with the provision of service;

Personal information must not be leaked, modified or destroyed;

Personal information may not be disclosed to others without the individual’s consent;

Data privacy policies should be disclosed.

Individuals have the right to demand that personal information that is collected unlawfully be deleted and the right to have their personal information corrected; and

No entity or individual may steal or acquire personal information by unlawful means or unlawfully sell or provide personal information to others.

These provisions reflect the data privacy rules that are already in place in existing consumer protection, telecommunications and other sector-specific legislation.

2. General Security Requirements for Network Operators and Manufacturers

All network operators are required to:

Establish an internal management system and internal rules to govern network security with formal designation of personnel who are allocated responsibility for network security;

Adopt technical measures to prevent viruses and various network attacks;

Monitor and record network operations and keep related logs for not less than six months;

Adopt measures to classify data, back up important data and encrypt data;

Cooperate with public security and national security authorities in the exercise of their supervisory and investigative powers.

In addition to the above requirements, CII operators are subject to a number of other requirements, such as setting up specialized security management departments, conducting security background checks, providing periodic network security education and technical training for employees, carrying out disaster recovery backups of important systems and databases, creating emergency response plans for network security incidents, and undertaking annual third party security and risk assessments.

All manufacturers and suppliers of network products and services are subject to the following prohibitions and obligations:

A prohibition against the use of malicious programs;

An obligation to remedy any security flaw identified and to notify users and relevant government departments;

Requirement to obtain express consent of users for the collection of user information;

Before offering “critical network equipment” and “specialized network security products” for sale in China, a valid security certification or testing of that equipment or product.

To implement this last requirement, the CAC and other government departments jointly issued in June 2017 the Catalogue for Key Network Equipment and Specialized Network Security Products (First Batch) (网络关键设备和网络安全专用产品目录 (第一批).). Network equipment designated in this catalogue includes specific types of routers, switches, servers and PLC equipment, and, which security products include specific types of data backup equipment, firewalls, intrusion detection systems and intrusion prevention systems. A notice accompanying the catalogue specifies that the relevant inspection or certification process is a certification process administered by the Ministry of Public Security, a certification process administered by the MIIT, or a certification process administered by the Accreditation Administration of China.

3. Data Localization and Cross-Border Transfers

The CSL requires CII operators to store in China both personal information and “important data” (undefined) that are collected and produced in the course of business operations in China. It also restricts the transfers of such data to overseas parties by subjecting such transfers to a security assessment. At present, these rules only apply to CII operators; however, they may be extended to cover all network operators, if the CAC’s draft Measures for Security Assessment of Cross-Border Export of Personal Information and Significant Data (《个人信息和重要数据出境安全评估办法数据出境评估办法》 (征求意见稿)) (the “Draft Data Export Measures”) are finalized in their current form.

Scope and Definition of Covered Data

The scope of data that are subject to the data localization and cross-border transfer requirements remains unclear. In particular, it is unclear if a company’s own human resources (HR) data are potentially subject to the data localization requirement. Informal guidance provided by CAC officials suggests that only commercial data related to a network operator’s business are covered; HR data are not covered. Hopefully this issue will be clarified after the implementing measures are issued.

With respect to the question of what constitutes “important data,” the CAC’s Draft Data Export Measures define such data as data that are closely related to “national security, economic development or the public interest.” The Draft Data Export Measures also state that the detailed scope will be governed by “guidance on identification of significant data (重要数据识别指南).” That document has been provided in draft form as an appendix to the draft Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (信息安全技术 数据出境安全评估指南 (草案); the “Draft Security Assessment Guidelines”), which has been circulated for public comment. That appendix provides a definition of the term and also sets out in a lengthy list specific “important data” across 26 different sectors.

Security Assessments for Cross-Border Transfers

Prior to transferring personal information across borders, the CSL required CII operators to conduct a security assessment. According to the Draft Data Export Measures, the assessment should consider the following issues:

The necessity of exporting the data;

The status of personal information or significant data concerned;

The data recipient’s capability and standard of protective measures of data security, and the network security environment of the country and region where such recipient is located;

The risks of personal information being leaked, damaged, falsified or abused; and

The risks to national security, public interest, and personal lawful interest that may be caused by exporting the data and combination of exported data.

In addition, the Draft Security Assessment Guidelines provide detailed guidance on the security assessment procedures to be followed and the factors to be assessed. According to the Draft Security Assessment Guidelines, two broad questions should be assessed: (1) whether a proposed data transfer is legal and justified and (2) whether related risks are controllable, considering such issues as:

Whether the information is sensitive;

The number of individuals and the volume of data involved;

Whether the information has been de-sensitized;

The capabilities of both the dispatching party and the recipient party; and

The political and legal environment of the country or region where the recipient party is located.

Detailed assessment methods are provided in Appendix B of the Draft Security Assessment Guidelines, the Security Risk Assessment Methods for Cross-Border Transfer of Personal Information and Important Data (个人信息和重要数据出境安全风险评估办法).

According to the Draft Data Export Measures, in some situations, the security assessment may be undertaken by the CII operator/network operator itself; in other cases, it must be carried out in conjunction with the relevant Chinese authorities. An example of when relevant authorities must be involved is when the personal data of more than 500,000 individuals is proposed.

The Draft Data Export Measures also prohibit the transfer of data to overseas parties, if a transfer endangers political, economic or technological security; homeland, military, cultural, social, information or ecological security; or the security of resources or nuclear facilities.

Remote Access

Another important issue that needs to be clarified is whether remote access to computer networks in China from overseas constitutes a transfer of data. Based on the Draft CII Regulations, it appears that remote access would be considered to be a transfer. In particular, the Draft CII Regulations require that the maintenance of CII must be conducted inside China and that prior approval from the relevant sector-specific authority and the Ministry of Public Security must be obtained if, due to business requirements, maintenance needs to be undertaken remotely from offshore.

Consent Requirements for Cross-Border Transfers

Under the Draft Data Export Measures, consent is required to transfer personal information except in the event of an emergency or where there is implied consent by virtue of the individual’s proactive conduct (e.g., making international phone calls and sending emails to overseas recipients).

4. National Security Review of Products and Services

The CSL requires CII operators procuring network products and services to undergo a CAC-led security review process if the procurement “might have an effect on national security.” Additional details are set forth in the first set of binding implementing rules under the CSL issued by the CAC in May 2017. The CAC’s Measures for Security Review of Network Products and Services (Trial Implementation) (网络产品和服务安全审查办法(试行); the “Security Review Measures”) describe as the key focus of the security review the evaluation of the “security (安全性) and controllability (可控性)” of the relevant product or service. The “security and controllability” criteria include considerations of security and controllability risks inherent to the product or service, security risks that relate to the supply chain, risks related to user information, and risks of the user’s interests being harmed by the product or of the service provider caused by taking advantage of the user’s reliance on the product or service.

Determination of which particular products and services may have an effect on national security and, therefore, would be subject to security review will be done on a sector-by-sector basis by the “key information infrastructure protection department” (关键信息基础设施保护工作部门, “KIIP Department”) in the government ministry responsible for the particular sector. According to the CSL, KIIP Departments will be set up within the different government departments with oversight of KII in different sectors. As far as we are aware, no sector-specific catalogue of network products and services subject to national security review has been issued yet, and indeed it is not clear whether relevant government ministries have set up KIIP Departments yet.

5. Penalties

CSL violations can result in a host of penalties, including warnings, suspensions, confiscation of illegal income, fines that in some limited cases can be in amounts up to RMB 1,000,000 (approximately US$150,000) and fines set as a multiple of illegal income. In addition, supervisory personnel can, in some cases, be subject to fines and, in limited cases, imprisonment.

The CSL also contemplates that foreign companies and other parties interfering with CII can be subject to legal liability.

Enforcement

It appears that certain government departments have already started to undertake security inspections and investigations on certain networks and IT systems on the basis of guidance on the scope of CII set out in an internal CAC notice. The notice is not publicly available but there are other documents in circulation that purport to be appendices to the notice. Among other things, these appendices include a document entitled Guidelines for Determination of Critical Information Infrastructure (关键信息基础设施确定指南; the “CII Guidelines”). The CII Guidelines do not provide definitive guidance on the scope of CII, but do provide important insight on the perspective of a key enforcement agency in relation to the scope question. Various characteristics are set out in the CII Guidelines to assist government departments to identify IT systems for inspection as part of the pilot program. These include, for example:

Certain types of government networks;

Data centers of a particular scale;

Systems that, if affected by a network incident, would result in the well-being or livelihood of sizable proportion of the local community; and

Websites with daily page views above a stated number.

The CII Guidelines have not been formally issued and, even if the document in circulation is genuine, the guidelines only relate to a specific pilot program and should not be taken as offering a definitive explanation of CII. Companies should view the CII Guidelines, at most, as evidencing the types of considerations that may guide the CAC and other government departments in the work remaining to be done in order to define CII.

Conclusion

Until the various rule-making and standard-setting work currently underway is completed, companies operating in China should consider taking the following steps:

Actively monitor the issuance of implementing regulations by the CAC and other government departments;

Assess your company’s compliance with the data privacy provisions of the CSL, including through review of the terms of your data privacy policies and your company’s compliance with those policies;

Review current practices in your Chinese operations in regard to cross-border transfers of personal information and other important business data (including remote access to data by parties overseas) and assess implications of potential future limitations on those transfers;

Refresh “dawn raid” protocols that govern how Chinese operations respond to visits from government authorities;

Assure that basic requirements of the CSL in regard to network security are met, including requirements to have an identifiable management structure with responsibility for network security, basic technical measures to prevent security breaches and network logs of no less than six months; and

Email Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.